Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Tailscale only working in some docker containers, no tailscaled after container startup

Featured Replies

I've installed the tailscale plugin and am working to integrate it on various docker containers I'm running. I'm finding it works fine on some containers, but not others, and I can't determine why. There's no errors in the logs, it just seems like tailscaled silently stops running within the container after a perfectly normal startup. I have another container where tailscale works fine and I can access the container's webUI from another device on the tailnet.

 

Here's the logs for a container that doesn't work, Archivebox:

Executing Unraid Docker Hook for Tailscale

Detecting Package Manager...
Detected Advanced Package Tool!
Tailscale Troubleshooting enabled!
Installing additional packages: curl, dnsutils, iputils-ping, speedtest-cli
Installing packages...
Please wait...
Packages installed!
Tailscale not found, downloading...
Please wait...
/tmp/tailscale/tail 100%[===================>]  28.57M  79.4MB/s    in 0.4s    
Download from Tailscale version 1.78.1 successful!
Installation Done!
Settings Tailscale state dir to: /data/.tailscale_state
Setting host name to "archivebox"
Starting tailscaled with log file location: /var/log/tailscaled
Starting tailscale
Some peers are advertising routes but --accept-routes is false
WARNING: Tailscale Key will expire in 179 days.
         Navigate to https://login.tailscale.com/admin/machines and 'Disable Key Expiry' for archivebox
See: https://tailscale.com/kb/1028/key-expiry
Enabling Serve! See https://tailscale.com/kb/1312/serve
Available within your tailnet:

https://archivebox.nebulosa-arcturus.ts.net/
|-- proxy http://localhost:8000

Serve started and running in the background.
Starting container...

=======================

[i] [2025-01-19 21:18:43] ArchiveBox v0.7.2: archivebox server --quick-init 0.0.0.0:8000
    > /data

[^] Verifying and updating existing ArchiveBox collection to v0.7.2...
----------------------------------------------------------------------

[*] Verifying archive folder structure...
    + ./archive, ./sources, ./logs...
    + ./ArchiveBox.conf...

[*] Verifying main SQL index and running any migrations needed...
    Operations to perform:
      Apply all migrations: admin, auth, contenttypes, core, sessions
    Running migrations:
    No migrations to apply.

    √ ./index.sqlite3

[*] Checking links from indexes and archive folders (safe to Ctrl+C)...
    √ Loaded 7164 links from existing main index.
    > Skipping full snapshot directory check (quick mode)

----------------------------------------------------------------------
[√] Done. Verified and updated the existing ArchiveBox collection.

[+] Starting ArchiveBox webserver...
    > Logging errors to ./logs/errors.log
Performing system checks...

System check identified no issues (0 silenced).
January 19, 2025 - 21:18:47
Django version 3.1.14, using settings 'core.settings'
Starting development server at http://0.0.0.0:8000/
Quit the server with CONTROL-C.

 

Note the tailscale download and normal startup with no login prompt. In my Tailscale console I see a timestamped connection from the container that correlates with container startup, but it's not an active connection. If I drop into console on the container and run any tailscale commands, I get this error:

root@7d3e85237b97:/data# tailscale status
failed to connect to local tailscaled; it doesn't appear to be running
root@7d3e85237b97:/data# ps -e
    PID TTY          TIME CMD
      1 ?        00:00:00 dumb-init
    608 pts/0    00:00:05 archivebox
    790 pts/1    00:00:00 bash
    824 pts/1    00:00:00 ps
root@7d3e85237b97:/data# 

The container mappings for tailscale look normal:

image.thumb.png.7a5b07c81eb3b845723ad5ac37b90927.png

 

And there's nothing helpful in the logs for tailscaled itself:

 

2025/01/19 16:30:59 logtail started
2025/01/19 16:30:59 Program starting: v1.78.1-t8903926f7-gc4163954e, Go 1.23.3: []string{"tailscaled", "-statedir=/data/.tailscale_state"}
2025/01/19 16:30:59 LogID: [base64 here]
2025/01/19 16:30:59 logpolicy: using system state directory "/var/lib/tailscale"
logpolicy.ConfigFromFile /var/lib/tailscale/tailscaled.log.conf: open /var/lib/tailscale/tailscaled.log.conf: no such file or directory
logpolicy.Config.Validate for /var/lib/tailscale/tailscaled.log.conf: config is nil
2025/01/19 16:30:59 dns: [rc=unknown ret=direct]
2025/01/19 16:30:59 dns: using "direct" mode
2025/01/19 16:30:59 dns: using *dns.directManager
2025/01/19 16:30:59 dns: inotify addwatch: context canceled
2025/01/19 16:30:59 linuxfw: clear iptables: exec: "iptables": executable file not found in $PATH
2025/01/19 16:30:59 linuxfw: clear ip6tables: exec: "ip6tables": executable file not found in $PATH
2025/01/19 16:30:59 wgengine.NewUserspaceEngine(tun "tailscale0") ...
2025/01/19 16:30:59 dns: [rc=unknown ret=direct]
2025/01/19 16:30:59 dns: using "direct" mode
2025/01/19 16:30:59 dns: using *dns.directManager
2025/01/19 16:30:59 link state: interfaces.State{defaultRoute=eth0 ifs={eth0:[172.19.0.10/16]} v4=true v6=false}
2025/01/19 16:30:59 onPortUpdate(port=37802, network=udp6)
2025/01/19 16:30:59 router: using firewall mode pref 
2025/01/19 16:30:59 router: iptables not found: firewall mode "iptables" not supported: iptables command run fail: multiple errors:
        exec: "iptables": executable file not found in $PATH
        exec: "ip6tables": executable file not found in $PATH; falling back to nftables
2025/01/19 16:30:59 router: netfilter running in nftables mode, v6 = true
2025/01/19 16:30:59 onPortUpdate(port=33236, network=udp4)
2025/01/19 16:30:59 magicsock: disco key = d:[base64 here]
2025/01/19 16:30:59 Creating WireGuard device...
2025/01/19 16:30:59 Bringing WireGuard device up...
2025/01/19 16:30:59 external route: up
2025/01/19 16:30:59 Bringing router up...
2025/01/19 16:30:59 Clearing router settings...
2025/01/19 16:30:59 Starting network monitor...
2025/01/19 16:30:59 Engine created.
2025/01/19 16:30:59 monitor: [unexpected] network state changed, but stringification didn't: interfaces.State{defaultRoute=eth0 ifs={eth0:[172.19.0.10/16]} v4=true v6=false}
2025/01/19 16:30:59 monitor: [unexpected] old: {"InterfaceIPs":{"eth0":["172.19.0.10/16"],"lo":["127.0.0.1/8","::1/128"],"tunl0":null},"Interface":{"eth0":{"Index":83,"MTU":1500,"Name":"eth0","HardwareAddr":"AkKsEwAK","Flags":51,"AltAddrs":null,"Desc":""},"lo":{"Index":1,"MTU":65536,"Name":"lo","HardwareAddr":null,"Flags":37,"AltAddrs":null,"Desc":""},"tunl0":{"Index":2,"MTU":1480,"Name":"tunl0","HardwareAddr":null,"Flags":0,"AltAddrs":null,"Desc":""}},"HaveV6":false,"HaveV4":true,"IsExpensive":false,"DefaultRouteInterface":"eth0","HTTPProxy":"","PAC":""}
2025/01/19 16:30:59 monitor: [unexpected] new: {"InterfaceIPs":{"eth0":["172.19.0.10/16"],"lo":["127.0.0.1/8","::1/128"],"tailscale0":["fe80::15b2:b292:a5e6:3116/64"],"tunl0":null},"Interface":{"eth0":{"Index":83,"MTU":1500,"Name":"eth0","HardwareAddr":"AkKsEwAK","Flags":51,"AltAddrs":null,"Desc":""},"lo":{"Index":1,"MTU":65536,"Name":"lo","HardwareAddr":null,"Flags":37,"AltAddrs":null,"Desc":""},"tailscale0":{"Index":3,"MTU":1280,"Name":"tailscale0","HardwareAddr":null,"Flags":57,"AltAddrs":null,"Desc":""},"tunl0":{"Index":2,"MTU":1480,"Name":"tunl0","HardwareAddr":null,"Flags":0,"AltAddrs":null,"Desc":""}},"HaveV6":false,"HaveV4":true,"IsExpensive":false,"DefaultRouteInterface":"eth0","HTTPProxy":"","PAC":""}
2025/01/19 16:30:59 LinkChange: major, rebinding. New state: interfaces.State{defaultRoute=eth0 ifs={eth0:[172.19.0.10/16]} v4=true v6=false}
2025/01/19 16:30:59 onPortUpdate(port=37802, network=udp6)
2025/01/19 16:30:59 onPortUpdate(port=33236, network=udp4)
2025/01/19 16:30:59 Rebind; defIf="eth0", ips=[172.19.0.10/16]
2025/01/19 16:30:59 magicsock: 0 active derp conns
2025/01/19 16:30:59 pm: using backend prefs for "profile-8495": Prefs{ra=false dns=true want=true routes=[] statefulFiltering=false nf=on host="archivebox" update=check Persist{lm=, o=, n=[gq9gI] u="SensibleSalmon@github"}}
2025/01/19 16:30:59 logpolicy: using system state directory "/var/lib/tailscale"
2025/01/19 16:30:59 monitor: gateway and self IP changed: gw=172.19.0.1 self=172.19.0.10
2025/01/19 16:30:59 got LocalBackend in 15ms
2025/01/19 16:30:59 Start
2025/01/19 16:30:59 Backend: logs: be:[base64 here] fe:
2025/01/19 16:30:59 control: client.Login(0)
2025/01/19 16:30:59 control: doLogin(regen=false, hasUrl=false)
2025/01/19 16:30:59 health(warnable=warming-up): error: Tailscale is starting. Please wait.
2025/01/19 16:30:59 Start
2025/01/19 16:30:59 Backend: logs: be:[base64 here] fe:
2025/01/19 16:30:59 control: client.Login(0)
2025/01/19 16:30:59 control: client.Shutdown ...
2025/01/19 16:30:59 control: updateRoutine: exiting
2025/01/19 16:30:59 control: mapRoutine: exiting
2025/01/19 16:30:59 health(warnable=login-state): error: You are logged out. The last login error was: fetch control key: Get "https://controlplane.tailscale.com/key?v=109": context canceled
2025/01/19 16:30:59 control: authRoutine: exiting
2025/01/19 16:30:59 control: Client.Shutdown done.
2025/01/19 16:30:59 control: doLogin(regen=false, hasUrl=false)
2025/01/19 16:31:03 control: control server key from https://controlplane.tailscale.com: ts2021=[fSeS+], legacy=[nlFWp]
2025/01/19 16:31:03 control: RegisterReq: onode= node=[gq9gI] fup=false nks=false
2025/01/19 16:31:04 health(warnable=warming-up): ok
2025/01/19 16:31:04 control: RegisterReq: got response; nodeKeyExpired=false, machineAuthorized=true; authURL=false
2025/01/19 16:31:04 health(warnable=login-state): ok
2025/01/19 16:31:05 control: netmap: got new dial plan from control
2025/01/19 16:31:05 health(warnable=not-in-map-poll): ok
2025/01/19 16:31:05 active login: SensibleSalmon@github
2025/01/19 16:31:05 serve: creating a new proxy handler for http://localhost:8000
2025/01/19 16:31:05 Switching ipn state NoState -> Starting (WantRunning=true, nm=true)
2025/01/19 16:31:05 magicsock: SetPrivateKey called (init)
2025/01/19 16:31:05 wgengine: Reconfig: configuring userspace WireGuard config (with 0/4 peers)
2025/01/19 16:31:05 wgengine: Reconfig: configuring router
2025/01/19 16:31:05 wgengine: Reconfig: configuring DNS
2025/01/19 16:31:05 dns: Set: {DefaultResolvers:[] Routes:{[my tailnet].ts.net.:[] ts.net.:[some IPs here]}+65arpa SearchDomains:[my tailnet.] Hosts:5}
2025/01/19 16:31:05 dns: Resolvercfg: {Routes:{.:[127.0.0.11] ts.net.:[[some IPs here]} Hosts:5 LocalDomains:[my tailnet]+65arpa}
2025/01/19 16:31:05 dns: OScfg: {Nameservers:[100.100.100.100] SearchDomains:[my tailnet] }
2025/01/19 16:31:05 rename of "/etc/resolv.conf" to "/etc/resolv.pre-tailscale-backup.conf" failed (rename /etc/resolv.conf /etc/resolv.pre-tailscale-backup.conf: device or resource busy), falling back to copy+delete
2025/01/19 16:31:05 peerapi: serving on http://100.100.87.94:36238
2025/01/19 16:31:05 peerapi: serving on http://[fd7a:115c:a1e0::8501:575f]:46291
2025/01/19 16:31:05 listening on [fd7a:115c:a1e0::8501:575f]:443
2025/01/19 16:31:05 listening on 100.100.87.94:443
2025/01/19 16:31:05 magicsock: home DERP changing from derp-0 [0ms] to derp-21 [7ms]
2025/01/19 16:31:05 health(warnable=no-derp-home): ok
2025/01/19 16:31:05 magicsock: home is now derp-21 (tor)
2025/01/19 16:31:05 magicsock: adding connection to derp-21 for home-keep-alive
2025/01/19 16:31:05 magicsock: 1 active derp conns: derp-21=cr0s,wr0s
2025/01/19 16:31:05 control: NetInfo: NetInfo{varies=false hairpin= ipv6=false ipv6os=true udp=true icmpv4=false derp=#21 portmap= link="" firewallmode="nft-forced"}
2025/01/19 16:31:05 derphttp.Client.Connect: connecting to derp-21 (tor)
2025/01/19 16:31:05 Switching ipn state Starting -> Running (WantRunning=true, nm=true)
2025/01/19 16:31:05 magicsock: endpoints changed: [my public IP]:33236 (stun), 172.19.0.10:33236 (local)
2025/01/19 16:31:05 magicsock: derp-21 connected; connGen=1
2025/01/19 16:31:05 health(warnable=no-derp-connection): ok
2025/01/19 16:31:05 [RATELIMIT] format("health(warnable=%s): ok")

Here's the output from a container with working tailscale:

 

sh-5.2# tailscale status
100.93.228.51   alexandria-syncthing MyUsername@ linux   -
100.100.87.94   archivebox           MyUsername@ linux   offline
100.64.141.34   gsv-alexandria       MyUsername@ linux   - # this is the unraid server itself
sh-5.2# ps -e
    PID TTY          TIME CMD
      1 ?        00:00:00 dumb-init
     37 ?        00:00:00 tailscale
     38 ?        00:00:23 tailscaled
    201 ?        00:00:00 supervisord
    255 ?        00:00:00 start.sh
    256 ?        00:00:00 bash
    258 ?        00:00:00 syncthing
    271 ?        00:01:17 syncthing
    427 pts/0    00:00:00 sh
    438 pts/1    00:00:00 sh
    520 pts/2    00:00:00 sh
    532 pts/2    00:00:00 ps

I've tried fiddling with the container networking mode, with the tailscale networking mode, with forwarding ports or not, and am at a loss. I don't understand why tailscaled appears to crash after startup.

 

I've attached the tailscale plugin diagnostics file if there's any clues in it.

GSV-Alexandria-tailscale-diag-20250119-162331.zip

42 minutes ago, SensibleSalmon said:

Archivebox

I've just tried it but the download from DockerHub took ages...

 

On a fresh install I get this:

grafik.png.dde6d073be5831154ee2f08ec0e2ad7c.png

 

ArchiveBox doesn't seem very happy when putting the state directory into the main folder, however disabling the integration, let the container start for the first time seems to have fixed it:

grafik.thumb.png.5845e8972c8351b30bdde32521742a35.png

 

I can access Archivebox through my Tailnet as you can see above.

 

My configuration looks like this:

grafik.thumb.png.6c14a4635917925df27ef8ea3a154ad9.png

 

I also have all information on the Docker page about the container:

grafik.png.2959eac96fe77ebba566b36567d2054f.png

 

Connections through the Tailscale URL are also possible:

grafik.thumb.png.c948220848fc33bb4eac007e3681fbf7.png

 

Could it be the case that your state dir is maybe messed up?

 

Please do the following:

  1. Stop the container
  2. Delete the .tailscale_state directory from your data directory from ArchiveBox
  3. Delete the already registered machine in your Tailnet
  4. Click on force update on the Docker page for ArchiveBox
  5. Start the container
  6. Open the logs and re authenticate via the Tailscale link in the logs

 

Please note that I haven't installed the Tailscale Plugin on my Server, what you can also try is to disable Tailscale DNS in the plugin settings.

  • Author

Hmm, that didn't work, so I gave up and "reinstalled" the container, which (eventually, after sorting some permissions issues) _did_ work! Again, I don't know why: the configs all look the same, network-wise.

 

Oh well! Thanks for the consult!

6 hours ago, SensibleSalmon said:

Hmm, that didn't work, so I gave up and "reinstalled" the container, which (eventually, after sorting some permissions issues) _did_ work! Again, I don't know why: the configs all look the same, network-wise.

 

Oh well! Thanks for the consult!

I'm glad to hear that it is now working for you!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.